Title: Migrating to Cloud-based ERP solution
A. ABC Automobiles Ltd is luxury bus maker in South India, having adequate infrastructure of technology with respect to changing environment. Company is having four branch office and more than 300 employees including at branches. Out of 300 employees, more than 40 employees are engaged in finance and accounts departments. At present company is maintaining a non-integrated accounting software, which require maintaining huge documentation.
Now with the changing environment and future business growth company board decided to migrate ‘Wilson’s On Cloud Solution (WOCS) a ERP software from existing non-integrated software. The new ERP software will provide all business process function start from sales and marketing, purchase management to payroll and inventory management , financial and management accounting etc to know the real time business information.
B. ABC Automobiles Ltd (auditee) appointed M/s XYZ Enterprises LLP (Chartered Accountants known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having huge experience in conducting IS Audit. Firm is having 5 partner (CAs), 3 system auditor (CISA) and 5 other technical staff all having good knowledge and experience in their respective domain.
|S.NO||TEAM MEMBER NAME||QUALIFICATION||DESIGNATION|
|1||Mr. X||FCA, CISA||Team Leader|
|2||Mr. Y||FCA, CISA||Co-Team Leader|
|3||Mr. Z||FCA, CISA||Co-Team Leader|
|4||Mr. P||FCA, DISA||Team Member|
|5||Mr. Q||M.Tech, Phd (IT), BE (Software)||Software Engineer and Programmer|
|6||Mr. R||M.Tech, BE (Software)||Software Engineer and Programmer|
|7||Mr. S||Phd (IT-Hardware Engineer)||Hardware Engineer|
2. Auditee Environment
Nature of business:-
ABC Automobiles Ltd is luxury bus maker in South India. Since company is engaged in business of heavy bus maker for passenger transportation. Company makes buses for passenger level transportation as well as tourist purpose.
Company board consists of 7 director, one Managing Director (CEO), one Finance Director (CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office (CIO), 2 Executive director. Board sets policy and procedure and laid down the strategy to complete business task, which will be executed and implemented by managerial and operational staff, which consists of each individual department head to operational level staff member.
At present company is following a non – integrated accounting software which will no longer useful looking to changing business technology and growing changes in technology environment. At present company infrastructure is well equipped. But company is not following any ERP Software to integrate its all business function via one single platform. But MD is confident of the view that by providing adequate training we can train finance and accounts departments to cloud based ERP acquaintance.
This will eliminate the need to purchase the necessary server and hardware storage, i.e. reduction in OPEX (operating expenses).
Except respective tax laws, corporate law, labour law etc, IT Act 2000 company is not bound by any other legal compliance like RBI, SEBI, Banking Regulation, IRDA etc. The company has a compliance department which looks into matter relating to compliance the same is reviewed by internal auditor function. For effective operation of compliance department company have standard policies, procedure and guidance that defines regulatory standard requirement that apply to company.
Information Security Policy:-
- Acceptable Use Policy : – Company has defined acceptable use of computer devices, equipments and employee security measure to protect organization resources.
- Clean Desk Policy:- Company has defined minimum requirement to be fulfilled a clean desk policy such as sensitive or critical information of company, employees, customers, intellectual property to be secured in locked area.
- Encryption Policy :- Company has defined the acceptable encryption algorithms for system security and protection from unauthorized access.
- Digital Signature Acceptance Policy :- Company has defined when “Digital Signature” is considered acceptance means of validating the identity of a signer in electronic communications/ documents.
- Password Policy: – Company has defined different high level configuration password for system access, email access for security of information and identity. Further there is policy of changing password within 90 days.
- Network Security Policy:- Company has defined overall network access such as remote access policy (use of software for use of remote access), wireless communication policy to connect company network, standard for minimum security configuration of routers and switches inside computer network.
- Server Security Policy:- Company has defined requirement around installation of third party software and security configuration for servers. Further, company has defined proper requirement for disposal of equipment such as hard drive, USB, CD Rom etc.
- Business Continuity Management Policy:- Company has defined requirement to ensure continuity of critical business operation. It is designed to minimize the impact of unforeseen event to facilitate business to normal levels.
Internal Policies and Procedure:-
ABC Ltd. has used best class of security and control practices for implementing security for Cloud IT infrastructure. This security system is subject to rigorous audit by independent ISO auditors (system as mandated by ISO 27001 & ISAE 3402) before certification and is also subject to regular IS Audit using global best practices.
Since Company decided to change its accounting tool from traditional to cloud based ERP (WOCS) in that, the most important thing for company is to migrate data first on ERP system. This can be done via batch processing under which data will upload first and then another person will approve these transactions. Once these data processed the next critical operation to reconcile these data with traditional data to check whether all data have been compiled and in proper way in which they require. In Cloud ERP system, system is hosted on cloud and ERP service provider takes care hosting of ERP system. This is based on Software as a Service (SaaS) module, wherein company will access the software, whereas service provider will manage software including operating system and execution environment.
Now to check all these critical operation company wants an independent auditor function to check all these critical operation task. Auditor (XYZ Enterprises) will audit these function starts from beginning mapping of codes, ledgers, groups, data uploading, reconciliation, report spooling, trade checking to know functioning of all ERP Module whether or not data of vendor, inventory management, financial accounting, sales and purchase, payroll system etc are working effectively and efficiently on cloud site as provided by cloud service provider. Auditor will also look system effect of one data entry on another ERP utility is proper and correct.
For this purpose auditor will thoroughly check the system configuration and settings are manipulated or modified. Further auditor will check IT Infrastructure configuration like operating system, servers, networking devices tool and security control thereof to check whether CIA (confidentially, integrity or availability) via unauthorized access, data manipulation etc, which may be big threat to organization as well. In addition to these auditor will check whether vendor are responsible for maintaining hardware & software such as patches, upgrades, refreshes.
In the existing system company has non-integrated accounting and inventory system having limited functionality. The biggest concern is company faces problem in integration of accounting (annual closing, and half-yearly) and huge involvement of time consumption for reconciliation of purchase and sales accounting as well as inventory match in inventory tool.
Now with the growing business demand of products, company wants to transform its business to be run on Cloud ERP System to meet future business requirement.
|S. No||Area of Risk||Risk and Control Required|
|1||Software as a Service (SaaS)||1. Unauthorized License:- Examine tools used for usage tracking and licensing.
2. Reporting:- Examine accuracy of reporting.
3 Due to technical architecture complexity and restriction imposed by CSP, data replicating to enterprises or another CSP may be difficult. So to avoid company should use less complexity structure of cloud in terms of size.
|2||Virtualization||It allows servers and storage to increasing share and utilize applications.|
|3||Access Control||1 Maintain appropriate egress and ingress filtering.
2 No unauthorized access.
|4||Communication Channels||Communication protocols used to communicate with other data centre :-|
|5||Data Management and Data Storage||1 CSP may not be able to match client (auditee) RPO or/& RTO.
2 A complex cloud environment structure can result in wrong or delayed data recovery.
|6||Business Discontinuity and others||1 Discontinuity of service delivery by Cloud Service Provider (CSP) may have severe impact on auditee business. Eg. Block out, delay in service.
To avoid this company must specify this clause in “Service Level Agreement” and obtain confirmation, how CSP can avoid these circumstances.
2 Regulatory conflict of law due to country specific regulation and rules, if cloud service provider is not domestic enterprises. Auditee must avoid these circumstances of CSP.
5. Terms and Scope of assignment
Auditor has defined their scope of assignment as follows:-
- How much security is enough.
- Criticality of application being sent to cloud.
- Cloud vender policy on vulnerability management reporting.
- Independent auditor report.
- What is impact on auditor when client has used “Cloud ERP System” and how data will be audited on cloud service provider.
- What is impact on compliance and security?
- Who is responsible for data security?
- Review contractual compliance between cloud service provider and customer i.e. auditee.
- Control issue specific to cloud service provider.
- Country and regional regulations and industrial regulations.
Areas where Auditor Consulting Services is required:-
- Create and implement a governance strategy.
- Create and implement a security strategy.
6. Logistic arrangements required
Auditor requires following Hardware, Software (application and system), Information, and System Configuration documentation.
- Hardware:- Auditor (XYZ Enterprises LLP) need 3 laptop, 4 desktop, networking cables, data cable, power backup equipments for execution of the assignment. All hardware must be configured in such a manner to be compatible with software.
- Software (Application as well as System):- We need licensed software to be installed in all desktop , laptop so as to work in auditee IT environment with high bandwidth of internet speed.
- Information:- We need the information to be audited that may be data, audio, video, electronic form data, images etc
- System Configuration Documents :- We need system configuration documentation from supplier or vendor of hardware, software, source code to understand technical things clearly.
ISO 27001 Information Security Management System:-
It is systematic approach to manage sensitive company information to maintain the same in secure mode. It includes people, processes and IT System by applying a risk management process. Company (auditee) has taken certificate from ISO organization stating that it meets objectives of ISO 27001. The aim is provide confidence and assurance to clients and customers that it follows best accepted business practices.
Use of CAAT Tools (Computer Aided Audit Techniques):-
The use of CAAT tools improves the audit process and help in data extraction and analyzing software. Following are the techniques:-
- Generalized Audit Software:- This tool is effective & efficient for IS audit. In this method Access Control List (ACL) is table under which data is lock down as read only to prevent inadvertently changing data. In this method organization define access right to each system users. Every user have different right such as read only, read and modification, approval etc.
- Utility Program:- These program are used to perform common data processing function such as sorting, creating and printing files. This utility don’t contain feature such as automatic record counts or control totals.
- Test Data:- Test data involve the auditors using a sample set of data to assess whether logic errors exist in a program and program meets organization objectives. It provides information about internal control and weakness if any exist.
- Audit Expert System;- In this techniques auditor perform tests details of transaction and balance, analytical review procedure, compliance test IS general control, compliance test IS application control and vulnerability testing.
7. Methodology and Strategy adapted for execution of assignment
Cloud Computing Audit Program by ISACA:-
1. Planning and Scoping of Audit :-
- Define the audit or assurance service objective.
- Define the boundaries of review.
- Identify and document risks.
- Define the required audit resources.
- Define the deliverables and communications.
2. Governing the Cloud:-
- Governance and enterprise risk management (ERM)
- Legal and electronic discovery
- Compliance and audit
- Portability and interpretability
3. Operating in the Cloud:-
- Incident Response, Notifications
- Application security
- Data Security and integrity
- Identity and Access management
Audit Program or Audit Procedure:-
Below is audit procedure with COBIT Framework, auditor has defined control objective and procedure thereof the same.
|S. No||COBIT Control Objective||Audit Procedure|
|1||Benefit Management (Acquire, Plan and Organize)||Review process for developing metrics for measuring benefits. E.g. Guidance from domain expert, industry analyst.|
|2||Supplier Contract Management (Acquire and Implement)||Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. E.g. Legal contract, financial contract, intellectual property contract etc.|
|3||Supplier Performance Monitoring (Deliver, Service and Support)||Inspection of supplier service report to determine supplier performance is in alignment with pre defined SLAs and supplier contract.|
|4||Identity Management (Deliver, Service and Support)||Every user have unique and generic id and access right to system is as per documentary business process framework.|
|5||Network Security (Deliver, Service and Support)||Confirm with organization that there is network security policy has been established and maintained in organization. Further confirm that all network component are updated regularly such as routers, VPN switches etc.|
|6||Information Exchange (Deliver, Service and Support)||Confirm with organization that proper encryption policy in place to exchange information outside the organization.|
|7||Contract Compliance (Monitor and Evaluate)||Review policies and procedure to ensure that contracts with third party service provider for compliance with applicable laws, regulation and contract commitments.|
|8||Data Integrity (Deliver, Service and Support)||Determine that a policy has been defined and implemented to protect sensitive information from unauthorized access, have authentication codes and encryption.|
8. Documents reviewed
We reviewed following document during execution of this assignment for identifying control and weakness thereof.
- Information Security Policy:- First we reviewed Information Security Policy (ISP) of company and policy content to check whether policy meets objects of organization and its stakeholders. Board is responsible for framing policy.
- Organization Structure:- Auditee organization is in proper hierarchy such as finance and accounts department, sales and marketing, purchase and production, payroll, inventory management etc in order to run proper functionality of organization.
- Service Level Agreement or Vendor Contract:- Auditor has read and understand all the terms and conditions of SLA. Any terms which is harmful for the company, the same has been discussed with management in order to secure stakeholder interest.
- Access Matrix:- Auditor has reviewed the access matrix list, which includes list of employee and their extent to which they have data access right.
- Audit Findings:- Auditor finding are as follows with respect to Cloud Service Provider:-
1 Auditor reviewed firewall and anti-virus program of company in order to secure data or unauthorized access.
2 Auditor reviewed alternates delivery site of working, in case CSP fails to provide service due to some circumstances.
3 Auditor reviewed the backup policy and the methodology of backup, how backup will be taken and time frame thereof.
4 Auditor reviewed the DRP (Disaster Recovery Plan), how company can continue its business function even if business is discontinued due to earthquake, tsunami, flood, fire etc.
5 Review external and internal policy which affect organization business both internally and externally.
We have taken references from below these:-
- ISA Background Material
- ISACA Audit Program and CAAT Tools
- ISO Standard 27001
The following table summarizes the review area and relevant finding, auditor suggestion and risk rating.
|S. No||Auditor’s Findings||Auditor’s Recommendation / Suggestions||Risk Rating|
|1||Technology Selection:- Before moving to cloud organization (auditee) did not performed cost benefit analysis.||NIL||Low|
|2||Physical Access Control:- Accessibility of data should be allowed to person authorized only. Since data may be sensitive to its stakeholder.||Organization should apply biometric devices so that history can be saved.
Organization should adopt maker and checker rule.
Use Audit trail to check, who access the data previously and user activity.
Use Clean Desk policy in order to secure sensitive data in paper form etc.
|3||Login Access Control :- In this scenario every user have unique login access control and they can access data for which they have permitted for transactions.||This concepts help to prevent any unauthorized data accessibility. No user can approve or authenticate data. Eg Login id password, using network monitoring and using access control.||Medium|
|4||Audit Trail:- In this scenario we can identify who last logged in, user activity and time spent by previous users.||With the help of this concept, user don’t work within the rights assigned to them in order to maintain data security and integrity, Even if anybody attempts to work beyond rights to his/her. The same is traceable. User personal accountability also exists.||Medium|
|5||Firewall:- Any data coming or going outside the organization boundary is filtered in firewall system. The system in which firewall is installed is called Beston Host.||Firewall act as a security between public and private network and checks any data packets coming from outside world into private network, since it checks data packets for authentication and authorization etc. Organization should install all firewall namely proxy server, network level, application level and stateful inspection.||Medium|
|6||Data Privacy and confidentiality:- Accessibility of customer data is restricted to respective organization and its authorized personnel, not to be shared with other organization or other personnel.||Organization should establish policy in such a manner to maintain data privacy with other service receiver with same cloud service provider.||High|
|7||Service Level Agreement :- Any terms and condition which is harmful for auditee organization such as block out , disruption in service.||Organization and CSP should meet in order to resolve the conflict and let them know about alternates sites by which service will be provided in case of emergency failure of main sites.||Medium|
|8||Natural Disaster Events:- Organization should consider natural events such as earthquake, tsunami, flood, fire etc.||Organization should have one additional BCP site with wholly IT Infrastructure in case of natural disaster so as to continuity of normal business function without disruption.||High|
Implication of High, Medium and Low:-
- High:- The issue representing a finding that organization exposed to significant risk and require immediate resolution.
- Medium:- The issue representing a finding that organization exposed to risk that require resolution in near future.
- Low:- The issue represents a finding, which don’t require action from organization.
11. Format of Report/Findings and Recommendations
As mentioned in Point No 10
As per the discussion held with the management, the BOD of the company has initiated corrective steps to overcome the “high implication findings” in observed in the audit and those, which have medium implication; BOD would take corrective action as soon as possible. Since the company has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer technological environment perfectly by organization as a whole. However, the management is optimistic about future guidance with respect to adoption of technological changes and impact thereof on the organization.